Amendments to the Claims: 

This listing of claims will replace all prior versions, and listings, of 
claims in the application: 

Listing of Claims: 

1. (Previously Presented) A method of re-authenticating and protecting 
communication security comprising the steps of: 

a) performing a secondary authentication protocol between a client 
electronic system (client) and a network access point electronic system (AP) 
using a key lease generated by performance of a primary authentication 
protocol, wherein said key lease includes a key lease period for indicating a 
length of time in which said key lease is valid for using said secondary 
authentication protocol instead of said primary authentication protocol; and 

b) if said secondary authentication protocol is successful, 
generating a session encryption key for encrypting communication traffic 
between said client and said AP. 

2. (Original) A method as recited in Claim 1 wherein said step a) 
includes the steps of: , 

transmitting said key lease from said client to said AP; 
generating a first random number associated with said client and a 
second random number associated with said AP, wherein said key lease 
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includes an encryption key for use in said secondary authentication protocol; 
and 

transmitting said first random number to said AP and said second 
random number to said client. 

3. (Original) A method as recited in Claim 2 wherein said step b) 
includes: 

using said encryption key, said first random number, said second 
random number, and a hash function to determine said session encryption 
key. 

4. (Original) A method as recited in Claim 3 wherein said step b) 
includes: 

applying a HMAC-MD5 algorithm and said encryption key on a 
concatenation of said first random number and said second random number to 
determine said session encryption key. 

5. (Original) A method as recited in Claim 3 wherein said step b) 
includes: 

applying a HMAC-SHA-1 algorithm and said encryption key on a 
concatenation of said first random number and said second random number to 
determine said session encryption key. 
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6. (Original) A method as recited in Claim 2 wherein said step b) 
includes: 

generating a first session encryption key for encrypting communication 
traffic from said client to said AP; and 

generating a second session encryption key for encrypting 
communication traffic from said AP to said client. 

7. (Original) A method as recited in Claim 6 wherein said step b) 
includes: 

using said encryption key, said first random number, said second 
random number, a first media access control (MAC) address associated with 
said client, a, second media access control (MAC) address associated with 
said AP, and a hash function to determine said first and second session 
encryption keys. 

8. (Original) A method as recited in Claim 7 wherein said step b) 
includes: 

applying a HMAC-MD5 algorithm and said encryption key on a 
concatenation of said first random number, said second random number, said 
first media access control (MAC) address associated with said client, and said 
second media access control (MAC) address associated with said AP to 
determine said first session encryption key. 
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9. (Original) A method as recited in Claim 7 wherein said step b) 
includes: 

applying a HMAC-SHA-1 algorithm and said encryption key on a 
concatenation of said first random number, said second random number, said 
first media access control (MAC) address associated with said client, and said 
second media access control (MAC) address associated with said AP to ' 
determine said first session encryption key. 

10. (Original) A method as recited in Claim 7 wherein said step b) 
includes: 

applying a HMAC-MD5 algorithm and said encryption key on a 
concatenation of said first random number, said second random number, said 
second media access control (MAC) address associated with said AP, and 
said first media access control (MAC) address associated with said client to 
determine said second session encryption key. 

11. (Original) A method as recited in Claim 7 wherein said step b) 
includes: 

applying a HMAC-SHA-1 algorithm and said encryption key on a 
concatenation of said first random number, said second random number, said 
second media access control (MAC) address associated with said AP, and 
said first media access control (MAC) address associated with said client to 
determine said second session encryption key. 
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12. (Previously Presented) An apparatus for re-authenticating and 
protecting communication security comprising: 

a client electronic system (client) configured to perform a secondary 
authentication protocol with a network access point electronic system (AP) 
using a key lease generated by performance of a primary authentication 
protocol, wherein said key lease includes a key lease period for indicating a 
length of time in which said key lease is valid for using said secondary 
authentication protocol instead of said primary authentication protocol, wherein 
if said secondary authentication protocol is successful said client is configured 
to generate a session encryption key for encrypting communication traffic 
between said client and said AP. 

13. (Original) An apparatus as recited in Claim 12 wherein said client is 
configured to transmit said key lease to said AP, wherein said client is 
configured to generate a first random number, wherein said key lease includes 
an encryption key for use in said secondary authentication protocol, wherein 
said client is configured to transmit said first random number to said AP and to 
receive a second random number from said AP. 

14. (Original) An apparatus as recited in Claim 13 wherein said client is 
configured to use said encryption key, said first random number, said second 
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random number, and a hash function to determine said session encryption 
key. 

15. (Original) An apparatus as recited in Claim 14 wherein said client is 
configured to apply a HMAC-MDS algorithm and said encryption key on a 
concatenation of said first random number and said second random number to 
determine said session encryption key. 

16. (Original) An apparatus as recited in Claim 14 wherein said client is 
configured to apply a HMAC-SHA-1 algorithm and said encryption key on a 
concatenation of said first random number and said second random number to 
determine said session encryption key. 

17. (Original) An apparatus as recited in Claim 13 wherein said client is 
configured to generate a first session encryption key for encrypting 
communication traffic from said client to said AP, and wherein said client is 
configured to generate a second session encryption key for encrypting 
communication traffic from said AP to said client. 

18. (Original) An apparatus as recited in Claim 17 wherein said client is 
configured to use said encryption key, said first random number, said second 
random number, a first media access control (MAC) address associated with 
said client, a second media access control (MAC) address associated with 
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said AP, and a hash function to determine said first and second session 
encryption l<eys. 

19. (Original) An apparatus as recited in Claim 17 wherein said client is 
configured to apply a HMAC-MD5 algorithm and said encryption key on a 
concatenation of said first random number, said second random number, said 
first media access control (MAC) address associated with said client, and said 
second media access control (MAC) address associated with said AP to 
determine said first session encryption key. 

20. (Original) An apparatus as recited in Claim 17 wherein said client is 
configured to apply a HMAC-SHA-1 algorithm and said encryption key on a 
concatenation of said first random number, said second random number, said 
first media access control (MAC) address associated with said client, and said 
second media access control (MAC) address associated with said AP to 
determine said first session encryption key. 

21. (Original) An apparatus as recited in Claim 17 wherein, said client is 
configured to apply a HMAC-MD5 algorithm and said encryption key on a 
concatenation of said first random number, said second random number, said 
second media access control (MAC) address associated with said AP, and 
said first media access control (MAC) address associated with said client to 
determine said second session encryption key. 
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22. (Original) An apparatus as recited in Claim 17 wherein said client is 
configured to apply a HMAC-SHA-1 algorithm and said encryption key on a 
concatenation of said first random number, said second random number, said 
second media access control (MAC) address associated with said AP, and 
said first media access control (MAC) address associated with said client to 
determine said second session encryption key. 

23. (Previously Presented) An apparatus for re-authenticating and 
protecting communication security comprising: 

a network access point electronic system (AP) configured to perform a 
secondary authentication protocol with a client electronic system (client) using 
a key lease generated by performance of a primary authentication protocol, 
wherein said key lease includes a key lease period for indicating a length of 
time in which said key lease is valid for using said secondary authentication 
protocol instead of said primary authentication protocol, wherein if said 
secondary authentication protocol is successful said AP is configured to 
generate a session encryption key for encrypting communication traffic 
between said client and said AP. 



24. (Original)An apparatus as recited in Claim 23 wherein said AP is 
configured to receive said key lease and a first random number from said 
client, wherein said key lease includes an encryption key for use in said 
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secondary authentication protocol, wherein said AP is configured to generate a 
second random number and to transmit said second random number to said 
client. 

25. (Original)An apparatus as recited in Claim 24 wherein said AP is 
configured to use said encryption key, said first random number, said second 
random number, and a hash function to determine said session encryption 
key. 

26. (Original)An apparatus as recited in Claim 25 wherein said AP is 
configured to apply a HMAC-MD5 algorithm and said encryption key on a 
concatenation of said first random number and said second random number to 
determine said session encryption key. 

27. (Original)An apparatus as recited in Claim 25 wherein said AP is 
configured to apply a HMAC-SHA-1 algorithm and said encryption key on a 
concatenation of said first random number and said second random number to 
determine said session encryption key. 

28. (Original)An apparatus as recited in Claim 24 wherein said AP is 
configured to generate a first session encryption key for encrypting 
communication traffic from said client to said AP, and wherein said AP is 
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configured to generate a second session encryption key for encrypting 
communication traffic from said AP to said client. 

29. (Original)An apparatus as recited in Claim 28 wherein said AP is 
configured to use said encryption key, said first random number, said second 
random number, a first media access control (MAC) address associated with 
said client, a second media access control (MAC) address associated with 
said AP, and a hash function to determine said first and second session 
encryption keys. 

30. (Original)An apparatus as recited in Claim 29 wherein said AP is 
configured to apply a HMAC-MD5 algorithm and said encryption key on a 
concatenation of said first random number, said second random number, said 
first media access control (MAC) address associated with said client, and said 
second media access control (MAC) address associated with said AP to 
determine said first session encryption key. 

31. (Original)An apparatus as recited in Claim 29 wherein said AP is 
configured to apply a HMAC-SHA-1 algorithm and said encryption key on a 
concatenation of said first random number, said second random number, said 
first media access control (MAC) address associated with said client, and said 
second media access control (MAC) address associated with said AP to 
determine said first session encryption key. 
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32. (Original)An apparatus as recited in Claim 29 wherein said AP is 
configured to apply a HMAC-MD5 algorithm and said encryption key on a 
concatenation of said first random number, said second random number, said 
second media access control (MAC) address associated with said AP, and 
said first media access control (MAC) address associated with said client to 
determine said second session encryption key. 

33. (Original)An apparatus as recited in Claim 29 wherein said AP is 
configured to apply a HMAC-SHA-1 algorithm and said encryption key on a 
concatenation of said first random number, said second random number, said 
second media access control (MAC) address associated with said AP, and 
said first media access control (MAC) address associated with said client to 
determine said second session encryption key. 

34. (Previously Presented) A method of authenticating a client electronic 
system (client) comprising the steps of: 

a) in response to a first request to authenticate, performing a primary 
authentication protocol between said client and a first network access point 
electronic system (first AP) to allow access to a network; 

b) if said primary authentication protocol is successful, generating a 
key lease, wherein said key lease includes context information and a key lease 
period for indicating a length of time in which said key lease is valid for using a 
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secondary authentication protocol instead of said primary authentication 
protocol; 

c) transmitting said key lease to said client; and 

d) in response to a second request to authenticate, performing said 
secondary authentication protocol between said client and a second network 
access point electronic system (second AP) using said key lease. 

35. (Original)A method as recited in Claim 34 further comprising the 
step of: 

e) if said secondary authentication is successful, using said context 
information of said lease key to control access of said client to said network. 

36. (Original)A method as recited in Claim 34 wherein said context 
information includes information established in said primary authentication 
protocol. 

37. (Original)A method as recited in Claim 34 wherein said context 
information includes accounting information, session timeout information, and 
filtering information. 

38. (Previously Presented) A method as recited in Claim 34 wherein said 
key lease further includes a first identifier associated with said client, a first 
encryption key associated with said primary authentication protocol, a second 
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encryption key for use in said secondary authentication protocol, integrity 
function data for determining an unauthorized change to a first portion of said 
key lease, and a second identifier associated with a particular network access 
point electronic system group of a plurality of network access point electronic 
system groups. 

39. (Original)A method as recited in Claim 38 wherein said first portion 
includes said first identifier, said first encryption key, said second encryption 
key, said key lease period, and said context information. 

40. (Original)A method as recited in Claim 38 wherein a second portion 
of said key lease is encrypted using a third encryption key. 

41. (Original) A method as recited in Claim 40 wherein said second 
portion includes said first identifier, said first encryption key, said second 
encryption key, said key lease period, said context information, and said 
integrity function data. 

42. (Original)A method as recited in Claim 40 wherein said step b) 
includes: 

b1) transmitting said first identifier and said key lease to said second 

AP; 
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b2) if said second AP is associated with said second identifier of said 
key lease, retrieving said third encryption key corresponding to said second 
identifier; and 

b3) decrypting said second portion of said key lease using said 
retrieved third encryption key. 

43. (Original)A method as recited in Claim 42 wherein said step b) 
further includes: 

b4) determining whether said first identifier transmitted by said client 
matches said first identifier decrypted from said key lease; 

b5) determining whether said integrity function data decrypted from 
said key lease matches an integrity function performed on said first portion of 
said key lease; 

b6) determining whether said key lease period has not expired; and 
b7) if valid determinations are made in said steps b4) to b6), initiating 

said secondary authentication protocol between said client and said second 

AP. 

44. (Original)A method as recited in Claim 34 wherein said secondary 
authentication protocol comprises a mutual challenge-response protocol 
based on symmetric encryption. 
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45. (Original)A method as recited in Claim 34 wherein said secondary 
authentication protocol comprises a mutual challenge-response protocol 
based on a one-way hash function message authentication code (HMAC) 
implementation. 

46. (Original)A method as recited in Claim 34 wherein said secondary 
authentication protocol comprises a mutual challenge-response protocol 
based on a keyed message authentication code implementation. 

47. (Previously Presented) An apparatus for performing an authentication 
protocol, comprising: 

a client electronic system (client) configured to perform a primary 
authentication protocol with a first network access point electronic system (first 
AP) to allow access to a network in response to a first request to authenticate, 
wherein said client is configured to receive a key lease if said primary 
authentication protocol is successful, wherein said key lease includes context 
information and a key lease period for indicating a length of time in which said 
key lease is valid for using a secondary authentication protocol instead of said 
primary authentication protocol, and wherein said client is configured to 
perform a said secondary authentication protocol with a second network 
access point electronic system (second AP) using said key lease in response 
to a second request to authenticate. 
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48. (Original)An apparatus as recited in Claim 47 wherein if said 
secondary authentication is successful, said second AP uses said context 
information of said lease key to control access of said client to said network. 



49. (Original)An apparatus as recited in Claim 47 wherein said context 
information includes information established in said primary authentication 
protocol. 

50. (Original)An apparatus as recited in Claim 47 wherein said context 
information includes accounting information, session timeout information, and 
filtering information. 

51. (Previously Presented) An apparatus as recited in Claim 47 wherein 
said key lease further includes a first identifier associated with said client, a 
first encryption key associated with said primary authentication protocol, a 
second encryption key for use in said secondary authentication protocol, 
integrity function data for determining an unauthorized change to a first portion 
of said key lease, and a second identifier associated with a particular network 
access point electronic system group of a plurality of network access point 
electronic system groups. 
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52. (Original)An apparatus as recited in Claim 51 wherein said first 
portion includes said first identifier, said first encryption key, said second 
encryption key, said key lease period, and said context information. 

53. (Original)An apparatus as recited in Claim 51 wherein a second 
portion of said key lease is encrypted using a third encryption key. 

54. (Original)An apparatus as recited in Claim 53 wherein said second 
portion includes said first identifier, said first encryption key, said second 
encryption key, said key lease period, said context, information, and said 
integrity function data. 

55. (Original)An apparatus as recited in Claim 53 wherein said client is 
configured to transmit said first identifier and said key lease to said second AP, 
wherein said second AP retrieves said third encryption key corresponding to 
said second identifier if said second AP is associated with said second 
identifier of said key lease, and wherein said second AP decrypts said second 
portion of said key lease using said retrieved third encryption key. 

56. (Original)An apparatus as recited in Claim 55 wherein said second 
AP determines whether said first identifier transmitted by said client matches 
said first identifier decrypted from said key lease, determines whether said 
integrity function data decrypted from said key lease matches an integrity 
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function performed on said first portion of said key lease, and determines 
whetlner said key lease period has not expired, and wherein if verification of 
said first identifier, said integrity function data, and said key lease period is 
successful, said second AP initiates said secondary authentication protocol 
with said client. 

57. (Original)An apparatus as recited in Claim 47 wherein said 
secondary authentication protocol comprises a mutual challenge-response 
protocol based on symmetric encryption. 

58. (Original)An apparatus as recited in Claim 47 wherein said 
secondary authentication protocol comprises a mutual challenge-response 
protocol based on a one-way hash function message authentication code 
(HMAC) implementation. 

59. (Original)An apparatus as recited in Claim 47 wherein said 
secondary authentication protocol comprises a mutual challenge-response 
protocol based on a keyed message authentication code implementation. 

60. (Previously Presented) An apparatus for performing an authentication 
protocol, comprising: 

a first network access point electronic system (first AP) configured to 
perform a primary authentication protocol with a client electronic system (client) 
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to allow access to a network in response to a first request to authenticate, 
wherein said first AP is configured to generate a key lease and transmit said 
key lease to said client if said primary authentication protocol is successful, 
wherein said key lease includes context information and a key lease period for 
indicating a length of time in which said key lease is valid for using a secondary 
authentication protocol instead of said primary authentication protocol, and 

a second network access point electronic system (second AP) 
configured to perforni said secondary authentication protocol with said client 
using said key lease in response to a second request to authenticate. 

61. (Original) An apparatus as recited in Claim 60 wherein if said 
secondary authentication is successful, said second AP uses said context 
information of said lease key to control access of said client to said network. 

62. (Original)An apparatus as recited in Claim 60 wherein said context 
information includes information established in said primary authentication 
protocol. 

63. (Original)An apparatus as recited in Claim 60 wherein said context 
information includes accounting information, session timeout information, and 
filtering information. 
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64. (Previously Presented) An apparatus as recited in Claim 60 wherein 
said key lease further includes a first identifier associated with said client, a 
first encryption key associated with said primary authentication protocol, a 
second encryption key for use in said secondary authentication protocol, 
integrity function data for determining an unauthorized change to a first portion 
of said key lease, and a second identifier associated with a particular network 
access point electronic system group of a plurality of network access point 
electronic system groups. 

65. (Original)An apparatus as recited in Claim 64 wherein said first 
portion includes said first identifier, said first encryption key, said second 
encryption key, said key lease period, and said context information. 

66. (Original)An apparatus as recited in Claim 64 wherein a second 
portion of said key lease is encrypted using a third encryption key. 

67. (Original)An apparatus as recited in Claim 66 wherein said second 
portion includes said first identifier, said first encryption key, said second 
encryption key, said key lease period, said context information, and said 
integrity function data. 

68. (Original)An apparatus as recited in Claim 66 wherein said second 
AP is configured to receive said first identifier and said key lease from said 
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client, wherein said second AP is configured to retrieve said third encryption key 
corresponding to said second identifier if said second AP is associated with 
said second identifier of said key lease, and wherein said second AP is 
configured to decrypt said second portion of said key lease using said retrieved 
third encryption key. 

69. (Original)An apparatus as recited in Claim 68 wherein said second 
AP is configured to determine whether said first identifier transmitted by said 
client matches said first identifier decrypted from said key lease, to determine 
whether said integrity function data decrypted from said key lease matches an 
integrity function performed on said first portion of said key lease, and to 
determine whether said key lease period has not expired, and wherein if 
verification of said first identifier, said integrity function data, and said key lease 
period is successful, said second AP is configured to initiate said secondary 
authentication protocol with said client. 

70. (Original)An apparatus as recited in Claim 60 wherein said 
secondary authentication protocol comprises a mutual challenge-response 
protocol based on symmetric encryption. 

71. (Original) An apparatus as recited in Claim 60 wherein said 
secondary authentication protocol comprises a mutual challenge-response 
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protocol based on a one-way hash function message authentication code 
(HMAC) implementation. 



72. (Original) An apparatus as recited in Claim 60 wherein said 
secondary authentication protocol comprises a mutual challenge-response 
protocol based on a keyed message authentication code implementation. 
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